- Renamed ciphers member of ssl_context and cipher member of ssl_session to ciphersuites and ciphersuite respectively. This clarifies the difference with the generic cipher layer and is better naming altogether

- Adapted in the rest of using code as well
This commit is contained in:
Paul Bakker 2011-01-27 17:40:50 +00:00
parent fc36d16e84
commit e3166ce040
10 changed files with 163 additions and 171 deletions

View File

@ -24,6 +24,11 @@ Note: Most of these features have been donated by Fox-IT
Changes Changes
* x509parse_time_expired() checks time in addition to * x509parse_time_expired() checks time in addition to
the existing date check the existing date check
* The ciphers member of ssl_context and the cipher member
of ssl_session have been renamed to ciphersuites and
ciphersuite respectively. This clarifies the difference
with the generic cipher layer and is better naming
altogether
= Version 0.14.0 released on 2010-08-16 = Version 0.14.0 released on 2010-08-16
Features Features

View File

@ -199,7 +199,7 @@ typedef struct _ssl_context ssl_context;
struct _ssl_session struct _ssl_session
{ {
time_t start; /*!< starting time */ time_t start; /*!< starting time */
int cipher; /*!< chosen cipher */ int ciphersuite; /*!< chosen ciphersuite */
int length; /*!< session id length */ int length; /*!< session id length */
unsigned char id[32]; /*!< session identifier */ unsigned char id[32]; /*!< session identifier */
unsigned char master[48]; /*!< the master secret */ unsigned char master[48]; /*!< the master secret */
@ -295,7 +295,7 @@ struct _ssl_context
sha1_context fin_sha1; /*!< Finished SHA-1 checksum */ sha1_context fin_sha1; /*!< Finished SHA-1 checksum */
int do_crypt; /*!< en(de)cryption flag */ int do_crypt; /*!< en(de)cryption flag */
int *ciphers; /*!< allowed ciphersuites */ int *ciphersuites; /*!< allowed ciphersuites */
int pmslen; /*!< premaster length */ int pmslen; /*!< premaster length */
int keylen; /*!< symmetric key length */ int keylen; /*!< symmetric key length */
int minlen; /*!< min. ciphertext length */ int minlen; /*!< min. ciphertext length */
@ -325,27 +325,38 @@ struct _ssl_context
extern "C" { extern "C" {
#endif #endif
extern int ssl_default_ciphers[]; extern int ssl_default_ciphersuites[];
/** /**
* \brief Returns the list of ciphers supported by the SSL/TLS module. * \brief Returns the list of ciphersuites supported by the SSL/TLS module.
* *
* \return a statically allocated array of ciphers, the last entry * \return a statically allocated array of ciphersuites, the last
* is 0. * entry is 0.
*/ */
static inline const int *ssl_list_ciphers( void ) static inline const int *ssl_list_ciphersuites( void )
{ {
return ssl_default_ciphers; return ssl_default_ciphersuites;
} }
/** /**
* \brief Return the name of the cipher associated with the given ID * \brief Return the name of the ciphersuite associated with the given
* ID
* *
* \param cipher_id SSL cipher ID * \param ciphersuite_id SSL ciphersuite ID
* *
* \return a string containing the cipher name * \return a string containing the ciphersuite name
*/ */
const char *ssl_get_cipher_name( const int cipher_id ); const char *ssl_get_ciphersuite_name( const int ciphersuite_id );
/**
* \brief Return the ID of the ciphersuite associated with the given
* name
*
* \param ciphersuite_name SSL ciphersuite name
*
* \return the ID with the ciphersuite or 0 if not found
*/
int ssl_get_ciphersuite_id( const char *ciphersuite_name );
/** /**
* \brief Initialize an SSL context * \brief Initialize an SSL context
@ -458,12 +469,12 @@ void ssl_set_session( ssl_context *ssl, int resume, int timeout,
ssl_session *session ); ssl_session *session );
/** /**
* \brief Set the list of allowed ciphersuites * \brief Set the list of allowed ciphersuites
* *
* \param ssl SSL context * \param ssl SSL context
* \param ciphers 0-terminated list of allowed ciphers * \param ciphersuites 0-terminated list of allowed ciphersuites
*/ */
void ssl_set_ciphers( ssl_context *ssl, int *ciphers ); void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites );
/** /**
* \brief Set the data required to verify peer certificate * \brief Set the data required to verify peer certificate
@ -557,13 +568,13 @@ int ssl_get_bytes_avail( const ssl_context *ssl );
int ssl_get_verify_result( const ssl_context *ssl ); int ssl_get_verify_result( const ssl_context *ssl );
/** /**
* \brief Return the name of the current cipher * \brief Return the name of the current ciphersuite
* *
* \param ssl SSL context * \param ssl SSL context
* *
* \return a string containing the cipher name * \return a string containing the ciphersuite name
*/ */
const char *ssl_get_cipher( const ssl_context *ssl ); const char *ssl_get_ciphersuite( const ssl_context *ssl );
/** /**
* \brief Return the current SSL version (SSLv3/TLSv1/etc) * \brief Return the current SSL version (SSLv3/TLSv1/etc)

View File

@ -88,8 +88,8 @@ static int ssl_write_client_hello( ssl_context *ssl )
/* /*
* 38 . 38 session id length * 38 . 38 session id length
* 39 . 39+n session id * 39 . 39+n session id
* 40+n . 41+n cipherlist length * 40+n . 41+n ciphersuitelist length
* 42+n . .. cipherlist * 42+n . .. ciphersuitelist
* .. . .. compression alg. (0) * .. . .. compression alg. (0)
* .. . .. extensions (unused) * .. . .. extensions (unused)
*/ */
@ -107,19 +107,19 @@ static int ssl_write_client_hello( ssl_context *ssl )
SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
for( n = 0; ssl->ciphers[n] != 0; n++ ); for( n = 0; ssl->ciphersuites[n] != 0; n++ );
*p++ = (unsigned char)( n >> 7 ); *p++ = (unsigned char)( n >> 7 );
*p++ = (unsigned char)( n << 1 ); *p++ = (unsigned char)( n << 1 );
SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphers", n ) ); SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
for( i = 0; i < n; i++ ) for( i = 0; i < n; i++ )
{ {
SSL_DEBUG_MSG( 3, ( "client hello, add cipher: %2d", SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
ssl->ciphers[i] ) ); ssl->ciphersuites[i] ) );
*p++ = (unsigned char)( ssl->ciphers[i] >> 8 ); *p++ = (unsigned char)( ssl->ciphersuites[i] >> 8 );
*p++ = (unsigned char)( ssl->ciphers[i] ); *p++ = (unsigned char)( ssl->ciphersuites[i] );
} }
SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
@ -235,7 +235,7 @@ static int ssl_parse_server_hello( ssl_context *ssl )
/* /*
* 38 . 38 session id length * 38 . 38 session id length
* 39 . 38+n session id * 39 . 38+n session id
* 39+n . 40+n chosen cipher * 39+n . 40+n chosen ciphersuite
* 41+n . 41+n chosen compression alg. * 41+n . 41+n chosen compression alg.
* 42+n . 43+n extensions length * 42+n . 43+n extensions length
* 44+n . 44+n+m extensions * 44+n . 44+n+m extensions
@ -265,14 +265,14 @@ static int ssl_parse_server_hello( ssl_context *ssl )
* Check if the session can be resumed * Check if the session can be resumed
*/ */
if( ssl->resume == 0 || n == 0 || if( ssl->resume == 0 || n == 0 ||
ssl->session->cipher != i || ssl->session->ciphersuite != i ||
ssl->session->length != n || ssl->session->length != n ||
memcmp( ssl->session->id, buf + 39, n ) != 0 ) memcmp( ssl->session->id, buf + 39, n ) != 0 )
{ {
ssl->state++; ssl->state++;
ssl->resume = 0; ssl->resume = 0;
ssl->session->start = time( NULL ); ssl->session->start = time( NULL );
ssl->session->cipher = i; ssl->session->ciphersuite = i;
ssl->session->length = n; ssl->session->length = n;
memcpy( ssl->session->id, buf + 39, n ); memcpy( ssl->session->id, buf + 39, n );
} }
@ -290,19 +290,19 @@ static int ssl_parse_server_hello( ssl_context *ssl )
SSL_DEBUG_MSG( 3, ( "%s session has been resumed", SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
ssl->resume ? "a" : "no" ) ); ssl->resume ? "a" : "no" ) );
SSL_DEBUG_MSG( 3, ( "server hello, chosen cipher: %d", i ) ); SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) ); SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
i = 0; i = 0;
while( 1 ) while( 1 )
{ {
if( ssl->ciphers[i] == 0 ) if( ssl->ciphersuites[i] == 0 )
{ {
SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
} }
if( ssl->ciphers[i++] == ssl->session->cipher ) if( ssl->ciphersuites[i++] == ssl->session->ciphersuite )
break; break;
} }
@ -329,11 +329,11 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
if( ssl->session->cipher != SSL_EDH_RSA_DES_168_SHA && if( ssl->session->ciphersuite != SSL_EDH_RSA_DES_168_SHA &&
ssl->session->cipher != SSL_EDH_RSA_AES_128_SHA && ssl->session->ciphersuite != SSL_EDH_RSA_AES_128_SHA &&
ssl->session->cipher != SSL_EDH_RSA_AES_256_SHA && ssl->session->ciphersuite != SSL_EDH_RSA_AES_256_SHA &&
ssl->session->cipher != SSL_EDH_RSA_CAMELLIA_128_SHA && ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA &&
ssl->session->cipher != SSL_EDH_RSA_CAMELLIA_256_SHA) ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA)
{ {
SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
ssl->state++; ssl->state++;
@ -522,11 +522,11 @@ static int ssl_write_client_key_exchange( ssl_context *ssl )
SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
if( ssl->session->cipher == SSL_EDH_RSA_DES_168_SHA || if( ssl->session->ciphersuite == SSL_EDH_RSA_DES_168_SHA ||
ssl->session->cipher == SSL_EDH_RSA_AES_128_SHA || ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA || ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_128_SHA || ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA) ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
{ {
#if !defined(POLARSSL_DHM_C) #if !defined(POLARSSL_DHM_C)
SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) ); SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );

View File

@ -112,10 +112,10 @@ static int ssl_parse_client_hello( ssl_context *ssl )
n = ssl->in_left - 5; n = ssl->in_left - 5;
/* /*
* 0 . 1 cipherlist length * 0 . 1 ciphersuitelist length
* 2 . 3 session id length * 2 . 3 session id length
* 4 . 5 challenge length * 4 . 5 challenge length
* 6 . .. cipherlist * 6 . .. ciphersuitelist
* .. . .. session id * .. . .. session id
* .. . .. challenge * .. . .. challenge
*/ */
@ -155,7 +155,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
} }
SSL_DEBUG_BUF( 3, "client hello, cipherlist", SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
buf + 6, ciph_len ); buf + 6, ciph_len );
SSL_DEBUG_BUF( 3, "client hello, session id", SSL_DEBUG_BUF( 3, "client hello, session id",
buf + 6 + ciph_len, sess_len ); buf + 6 + ciph_len, sess_len );
@ -171,14 +171,14 @@ static int ssl_parse_client_hello( ssl_context *ssl )
memset( ssl->randbytes, 0, 64 ); memset( ssl->randbytes, 0, 64 );
memcpy( ssl->randbytes + 32 - chal_len, p, chal_len ); memcpy( ssl->randbytes + 32 - chal_len, p, chal_len );
for( i = 0; ssl->ciphers[i] != 0; i++ ) for( i = 0; ssl->ciphersuites[i] != 0; i++ )
{ {
for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
{ {
if( p[0] == 0 && if( p[0] == 0 &&
p[1] == 0 && p[1] == 0 &&
p[2] == ssl->ciphers[i] ) p[2] == ssl->ciphersuites[i] )
goto have_cipher; goto have_ciphersuite;
} }
} }
} }
@ -237,8 +237,8 @@ static int ssl_parse_client_hello( ssl_context *ssl )
* 10 . 37 random bytes * 10 . 37 random bytes
* 38 . 38 session id length * 38 . 38 session id length
* 39 . 38+x session id * 39 . 38+x session id
* 39+x . 40+x cipherlist length * 39+x . 40+x ciphersuitelist length
* 41+x . .. cipherlist * 41+x . .. ciphersuitelist
* .. . .. compression alg. * .. . .. compression alg.
* .. . .. extensions * .. . .. extensions
*/ */
@ -295,7 +295,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
memcpy( ssl->session->id, buf + 39 , ssl->session->length ); memcpy( ssl->session->id, buf + 39 , ssl->session->length );
/* /*
* Check the cipherlist length * Check the ciphersuitelist length
*/ */
ciph_len = ( buf[39 + sess_len] << 8 ) ciph_len = ( buf[39 + sess_len] << 8 )
| ( buf[40 + sess_len] ); | ( buf[40 + sess_len] );
@ -321,32 +321,32 @@ static int ssl_parse_client_hello( ssl_context *ssl )
buf + 6, 32 ); buf + 6, 32 );
SSL_DEBUG_BUF( 3, "client hello, session id", SSL_DEBUG_BUF( 3, "client hello, session id",
buf + 38, sess_len ); buf + 38, sess_len );
SSL_DEBUG_BUF( 3, "client hello, cipherlist", SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
buf + 41 + sess_len, ciph_len ); buf + 41 + sess_len, ciph_len );
SSL_DEBUG_BUF( 3, "client hello, compression", SSL_DEBUG_BUF( 3, "client hello, compression",
buf + 42 + sess_len + ciph_len, comp_len ); buf + 42 + sess_len + ciph_len, comp_len );
/* /*
* Search for a matching cipher * Search for a matching ciphersuite
*/ */
for( i = 0; ssl->ciphers[i] != 0; i++ ) for( i = 0; ssl->ciphersuites[i] != 0; i++ )
{ {
for( j = 0, p = buf + 41 + sess_len; j < ciph_len; for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
j += 2, p += 2 ) j += 2, p += 2 )
{ {
if( p[0] == 0 && p[1] == ssl->ciphers[i] ) if( p[0] == 0 && p[1] == ssl->ciphersuites[i] )
goto have_cipher; goto have_ciphersuite;
} }
} }
} }
SSL_DEBUG_MSG( 1, ( "got no ciphers in common" ) ); SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN ); return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
have_cipher: have_ciphersuite:
ssl->session->cipher = ssl->ciphers[i]; ssl->session->ciphersuite = ssl->ciphersuites[i];
ssl->in_left = 0; ssl->in_left = 0;
ssl->state++; ssl->state++;
@ -397,7 +397,7 @@ static int ssl_write_server_hello( ssl_context *ssl )
/* /*
* 38 . 38 session id length * 38 . 38 session id length
* 39 . 38+n session id * 39 . 38+n session id
* 39+n . 40+n chosen cipher * 39+n . 40+n chosen ciphersuite
* 41+n . 41+n chosen compression alg. * 41+n . 41+n chosen compression alg.
*/ */
ssl->session->length = n = 32; ssl->session->length = n = 32;
@ -439,12 +439,12 @@ static int ssl_write_server_hello( ssl_context *ssl )
SSL_DEBUG_MSG( 3, ( "%s session has been resumed", SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
ssl->resume ? "a" : "no" ) ); ssl->resume ? "a" : "no" ) );
*p++ = (unsigned char)( ssl->session->cipher >> 8 ); *p++ = (unsigned char)( ssl->session->ciphersuite >> 8 );
*p++ = (unsigned char)( ssl->session->cipher ); *p++ = (unsigned char)( ssl->session->ciphersuite );
*p++ = SSL_COMPRESS_NULL; *p++ = SSL_COMPRESS_NULL;
SSL_DEBUG_MSG( 3, ( "server hello, chosen cipher: %d", SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d",
ssl->session->cipher ) ); ssl->session->ciphersuite ) );
SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", 0 ) ); SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", 0 ) );
ssl->out_msglen = p - buf; ssl->out_msglen = p - buf;
@ -532,11 +532,11 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
if( ssl->session->cipher != SSL_EDH_RSA_DES_168_SHA && if( ssl->session->ciphersuite != SSL_EDH_RSA_DES_168_SHA &&
ssl->session->cipher != SSL_EDH_RSA_AES_128_SHA && ssl->session->ciphersuite != SSL_EDH_RSA_AES_128_SHA &&
ssl->session->cipher != SSL_EDH_RSA_AES_256_SHA && ssl->session->ciphersuite != SSL_EDH_RSA_AES_256_SHA &&
ssl->session->cipher != SSL_EDH_RSA_CAMELLIA_128_SHA && ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA &&
ssl->session->cipher != SSL_EDH_RSA_CAMELLIA_256_SHA) ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA)
{ {
SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
ssl->state++; ssl->state++;
@ -702,11 +702,11 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
} }
if( ssl->session->cipher == SSL_EDH_RSA_DES_168_SHA || if( ssl->session->ciphersuite == SSL_EDH_RSA_DES_168_SHA ||
ssl->session->cipher == SSL_EDH_RSA_AES_128_SHA || ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA || ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_128_SHA || ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA) ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
{ {
#if !defined(POLARSSL_DHM_C) #if !defined(POLARSSL_DHM_C)
SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) ); SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );

View File

@ -214,7 +214,7 @@ int ssl_derive_keys( ssl_context *ssl )
tls1_prf( ssl->session->master, 48, "key expansion", tls1_prf( ssl->session->master, 48, "key expansion",
ssl->randbytes, 64, keyblk, 256 ); ssl->randbytes, 64, keyblk, 256 );
SSL_DEBUG_MSG( 3, ( "cipher = %s", ssl_get_cipher( ssl ) ) ); SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) );
SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 ); SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 ); SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
SSL_DEBUG_BUF( 4, "key block", keyblk, 256 ); SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
@ -224,7 +224,7 @@ int ssl_derive_keys( ssl_context *ssl )
/* /*
* Determine the appropriate key, IV and MAC length. * Determine the appropriate key, IV and MAC length.
*/ */
switch( ssl->session->cipher ) switch( ssl->session->ciphersuite )
{ {
#if defined(POLARSSL_ARC4_C) #if defined(POLARSSL_ARC4_C)
case SSL_RSA_RC4_128_MD5: case SSL_RSA_RC4_128_MD5:
@ -275,8 +275,8 @@ int ssl_derive_keys( ssl_context *ssl )
#endif #endif
default: default:
SSL_DEBUG_MSG( 1, ( "cipher %s is not available", SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
ssl_get_cipher( ssl ) ) ); ssl_get_ciphersuite( ssl ) ) );
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
} }
@ -317,7 +317,7 @@ int ssl_derive_keys( ssl_context *ssl )
ssl->ivlen ); ssl->ivlen );
} }
switch( ssl->session->cipher ) switch( ssl->session->ciphersuite )
{ {
#if defined(POLARSSL_ARC4_C) #if defined(POLARSSL_ARC4_C)
case SSL_RSA_RC4_128_MD5: case SSL_RSA_RC4_128_MD5:
@ -611,10 +611,10 @@ static int ssl_encrypt_buf( ssl_context *ssl )
case 16: case 16:
#if defined(POLARSSL_AES_C) #if defined(POLARSSL_AES_C)
if ( ssl->session->cipher == SSL_RSA_AES_128_SHA || if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
ssl->session->cipher == SSL_EDH_RSA_AES_128_SHA || ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
ssl->session->cipher == SSL_RSA_AES_256_SHA || ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA) ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA)
{ {
aes_crypt_cbc( (aes_context *) ssl->ctx_enc, aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
AES_ENCRYPT, enc_msglen, AES_ENCRYPT, enc_msglen,
@ -624,10 +624,10 @@ static int ssl_encrypt_buf( ssl_context *ssl )
#endif #endif
#if defined(POLARSSL_CAMELLIA_C) #if defined(POLARSSL_CAMELLIA_C)
if ( ssl->session->cipher == SSL_RSA_CAMELLIA_128_SHA || if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_128_SHA || ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
ssl->session->cipher == SSL_RSA_CAMELLIA_256_SHA || ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA) ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
{ {
camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc, camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
CAMELLIA_ENCRYPT, enc_msglen, CAMELLIA_ENCRYPT, enc_msglen,
@ -716,10 +716,10 @@ static int ssl_decrypt_buf( ssl_context *ssl )
case 16: case 16:
#if defined(POLARSSL_AES_C) #if defined(POLARSSL_AES_C)
if ( ssl->session->cipher == SSL_RSA_AES_128_SHA || if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
ssl->session->cipher == SSL_EDH_RSA_AES_128_SHA || ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
ssl->session->cipher == SSL_RSA_AES_256_SHA || ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA) ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA)
{ {
aes_crypt_cbc( (aes_context *) ssl->ctx_dec, aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
AES_DECRYPT, dec_msglen, AES_DECRYPT, dec_msglen,
@ -729,10 +729,10 @@ static int ssl_decrypt_buf( ssl_context *ssl )
#endif #endif
#if defined(POLARSSL_CAMELLIA_C) #if defined(POLARSSL_CAMELLIA_C)
if ( ssl->session->cipher == SSL_RSA_CAMELLIA_128_SHA || if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_128_SHA || ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
ssl->session->cipher == SSL_RSA_CAMELLIA_256_SHA || ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA) ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
{ {
camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec, camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
CAMELLIA_DECRYPT, dec_msglen, CAMELLIA_DECRYPT, dec_msglen,
@ -1776,9 +1776,9 @@ void ssl_set_session( ssl_context *ssl, int resume, int timeout,
ssl->session = session; ssl->session = session;
} }
void ssl_set_ciphers( ssl_context *ssl, int *ciphers ) void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites )
{ {
ssl->ciphers = ciphers; ssl->ciphersuites = ciphersuites;
} }
void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain, void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
@ -1872,9 +1872,9 @@ int ssl_get_verify_result( const ssl_context *ssl )
return( ssl->verify_result ); return( ssl->verify_result );
} }
const char *ssl_get_cipher_name( const int cipher_id ) const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
{ {
switch( cipher_id ) switch( ciphersuite_id )
{ {
#if defined(POLARSSL_ARC4_C) #if defined(POLARSSL_ARC4_C)
case SSL_RSA_RC4_128_MD5: case SSL_RSA_RC4_128_MD5:
@ -1927,50 +1927,50 @@ const char *ssl_get_cipher_name( const int cipher_id )
return( "unknown" ); return( "unknown" );
} }
int ssl_get_cipher_id( const char *cipher_name ) int ssl_get_ciphersuite_id( const char *ciphersuite_name )
{ {
#if defined(POLARSSL_ARC4_C) #if defined(POLARSSL_ARC4_C)
if (0 == strcasecmp(cipher_name, "SSL-RSA-RC4-128-MD5")) if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5"))
return( SSL_RSA_RC4_128_MD5 ); return( SSL_RSA_RC4_128_MD5 );
if (0 == strcasecmp(cipher_name, "SSL-RSA-RC4-128-SHA")) if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA"))
return( SSL_RSA_RC4_128_SHA ); return( SSL_RSA_RC4_128_SHA );
#endif #endif
#if defined(POLARSSL_DES_C) #if defined(POLARSSL_DES_C)
if (0 == strcasecmp(cipher_name, "SSL-RSA-DES-168-SHA")) if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA"))
return( SSL_RSA_DES_168_SHA ); return( SSL_RSA_DES_168_SHA );
if (0 == strcasecmp(cipher_name, "SSL-EDH-RSA-DES-168-SHA")) if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA"))
return( SSL_EDH_RSA_DES_168_SHA ); return( SSL_EDH_RSA_DES_168_SHA );
#endif #endif
#if defined(POLARSSL_AES_C) #if defined(POLARSSL_AES_C)
if (0 == strcasecmp(cipher_name, "SSL-RSA-AES-128-SHA")) if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA"))
return( SSL_RSA_AES_128_SHA ); return( SSL_RSA_AES_128_SHA );
if (0 == strcasecmp(cipher_name, "SSL-EDH-RSA-AES-128-SHA")) if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA"))
return( SSL_EDH_RSA_AES_128_SHA ); return( SSL_EDH_RSA_AES_128_SHA );
if (0 == strcasecmp(cipher_name, "SSL-RSA-AES-256-SHA")) if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA"))
return( SSL_RSA_AES_256_SHA ); return( SSL_RSA_AES_256_SHA );
if (0 == strcasecmp(cipher_name, "SSL-EDH-RSA-AES-256-SHA")) if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
return( SSL_EDH_RSA_AES_256_SHA ); return( SSL_EDH_RSA_AES_256_SHA );
#endif #endif
#if defined(POLARSSL_CAMELLIA_C) #if defined(POLARSSL_CAMELLIA_C)
if (0 == strcasecmp(cipher_name, "SSL-RSA-CAMELLIA-128-SHA")) if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA"))
return( SSL_RSA_CAMELLIA_128_SHA ); return( SSL_RSA_CAMELLIA_128_SHA );
if (0 == strcasecmp(cipher_name, "SSL-EDH-RSA-CAMELLIA-128-SHA")) if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA"))
return( SSL_EDH_RSA_CAMELLIA_128_SHA ); return( SSL_EDH_RSA_CAMELLIA_128_SHA );
if (0 == strcasecmp(cipher_name, "SSL-RSA-CAMELLIA-256-SHA")) if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA"))
return( SSL_RSA_CAMELLIA_256_SHA ); return( SSL_RSA_CAMELLIA_256_SHA );
if (0 == strcasecmp(cipher_name, "SSL-EDH-RSA-CAMELLIA-256-SHA")) if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
return( SSL_EDH_RSA_CAMELLIA_256_SHA ); return( SSL_EDH_RSA_CAMELLIA_256_SHA );
#endif #endif
return( 0 ); return( 0 );
} }
const char *ssl_get_cipher( const ssl_context *ssl ) const char *ssl_get_ciphersuite( const ssl_context *ssl )
{ {
return ssl_get_cipher_name( ssl->session->cipher ); return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
} }
const char *ssl_get_version( const ssl_context *ssl ) const char *ssl_get_version( const ssl_context *ssl )
@ -1992,7 +1992,7 @@ const char *ssl_get_version( const ssl_context *ssl )
return( "unknown" ); return( "unknown" );
} }
int ssl_default_ciphers[] = int ssl_default_ciphersuites[] =
{ {
#if defined(POLARSSL_DHM_C) #if defined(POLARSSL_DHM_C)
#if defined(POLARSSL_AES_C) #if defined(POLARSSL_AES_C)

View File

@ -101,7 +101,7 @@ int main( void )
ssl_set_bio( &ssl, net_recv, &server_fd, ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd ); net_send, &server_fd );
ssl_set_ciphers( &ssl, ssl_default_ciphers ); ssl_set_ciphersuites( &ssl, ssl_default_ciphersuites );
ssl_set_session( &ssl, 1, 600, &ssn ); ssl_set_session( &ssl, 1, 600, &ssn );
/* /*

View File

@ -248,7 +248,7 @@ int main( int argc, char *argv[] )
ssl_set_bio( &ssl, net_recv, &server_fd, ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd ); net_send, &server_fd );
ssl_set_ciphers( &ssl, ssl_default_ciphers ); ssl_set_ciphersuites( &ssl, ssl_default_ciphersuites );
ssl_set_session( &ssl, 1, 600, &ssn ); ssl_set_session( &ssl, 1, 600, &ssn );
ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
@ -271,8 +271,8 @@ int main( int argc, char *argv[] )
} }
} }
printf( " ok\n [ Cipher is %s ]\n", printf( " ok\n [ Ciphersuite is %s ]\n",
ssl_get_cipher( &ssl ) ); ssl_get_ciphersuite( &ssl ) );
/* /*
* 5. Verify the server certificate * 5. Verify the server certificate

View File

@ -66,7 +66,7 @@ char *my_dhm_G = "4";
/* /*
* Sorted by order of preference * Sorted by order of preference
*/ */
int my_ciphers[] = int my_ciphersuites[] =
{ {
SSL_EDH_RSA_AES_256_SHA, SSL_EDH_RSA_AES_256_SHA,
SSL_EDH_RSA_CAMELLIA_256_SHA, SSL_EDH_RSA_CAMELLIA_256_SHA,
@ -119,7 +119,7 @@ static int my_get_session( ssl_context *ssl )
if( ssl->timeout != 0 && t - prv->start > ssl->timeout ) if( ssl->timeout != 0 && t - prv->start > ssl->timeout )
continue; continue;
if( ssl->session->cipher != prv->cipher || if( ssl->session->ciphersuite != prv->ciphersuite ||
ssl->session->length != prv->length ) ssl->session->length != prv->length )
continue; continue;
@ -287,7 +287,7 @@ accept:
ssl_set_scb( &ssl, my_get_session, ssl_set_scb( &ssl, my_get_session,
my_set_session ); my_set_session );
ssl_set_ciphers( &ssl, my_ciphers ); ssl_set_ciphersuites( &ssl, my_ciphersuites );
ssl_set_session( &ssl, 1, 0, &ssn ); ssl_set_session( &ssl, 1, 0, &ssn );
memset( &ssn, 0, sizeof( ssl_session ) ); memset( &ssn, 0, sizeof( ssl_session ) );
@ -360,7 +360,7 @@ accept:
fflush( stdout ); fflush( stdout );
len = sprintf( (char *) buf, HTTP_RESPONSE, len = sprintf( (char *) buf, HTTP_RESPONSE,
ssl_get_cipher( &ssl ) ); ssl_get_ciphersuite( &ssl ) );
while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 ) while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
{ {

View File

@ -91,7 +91,7 @@ struct options
int max_connections; /* max. number of reconnections */ int max_connections; /* max. number of reconnections */
int session_reuse; /* flag to reuse the keying material */ int session_reuse; /* flag to reuse the keying material */
int session_lifetime; /* if reached, session data is expired */ int session_lifetime; /* if reached, session data is expired */
int force_cipher[2]; /* protocol/cipher to use, or all */ int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
}; };
/* /*
@ -242,9 +242,9 @@ static int ssl_test( struct options *opt )
ssl_set_session( &ssl, opt->session_reuse, ssl_set_session( &ssl, opt->session_reuse,
opt->session_lifetime, &ssn ); opt->session_lifetime, &ssn );
if( opt->force_cipher[0] == DFL_FORCE_CIPHER ) if( opt->force_ciphersuite[0] == DFL_FORCE_CIPHER )
ssl_set_ciphers( &ssl, ssl_default_ciphers ); ssl_set_ciphersuites( &ssl, ssl_default_ciphersuites );
else ssl_set_ciphers( &ssl, opt->force_cipher ); else ssl_set_ciphersuites( &ssl, opt->force_ciphersuite );
if( opt->iomode == IOMODE_NONBLOCK ) if( opt->iomode == IOMODE_NONBLOCK )
net_set_nonblock( client_fd ); net_set_nonblock( client_fd );
@ -389,17 +389,13 @@ exit:
" max_connections=%%d default: 0 (no limit)\n" \ " max_connections=%%d default: 0 (no limit)\n" \
" session_reuse=on/off default: on (enabled)\n" \ " session_reuse=on/off default: on (enabled)\n" \
" session_lifetime=%%d (s) default: 86400\n" \ " session_lifetime=%%d (s) default: 86400\n" \
" force_cipher=<name> default: all enabled\n" \ " force_ciphersuite=<name> default: all enabled\n" \
" acceptable cipher names:\n" \ " acceptable ciphersuite names:\n"
" SSL_RSA_RC4_128_MD5 SSL_RSA_RC4_128_SHA\n" \
" SSL_RSA_DES_168_SHA SSL_EDH_RSA_DES_168_SHA\n" \
" SSL_RSA_AES_128_SHA SSL_EDH_RSA_AES_256_SHA\n" \
" SSL_RSA_AES_256_SHA SSL_EDH_RSA_CAMELLIA_256_SHA\n" \
" SSL_RSA_CAMELLIA_128_SHA SSL_RSA_CAMELLIA_256_SHA\n\n"
int main( int argc, char *argv[] ) int main( int argc, char *argv[] )
{ {
int i, j, n; int i, j, n;
const int *list;
int ret = 1; int ret = 1;
int nb_conn; int nb_conn;
char *p, *q; char *p, *q;
@ -409,6 +405,14 @@ int main( int argc, char *argv[] )
{ {
usage: usage:
printf( USAGE ); printf( USAGE );
list = ssl_list_ciphersuites();
while( *list )
{
printf(" %s\n", ssl_get_ciphersuite_name( *list ) );
list++;
}
printf("\n");
goto exit; goto exit;
} }
@ -424,7 +428,7 @@ int main( int argc, char *argv[] )
opt.max_connections = DFL_MAX_CONNECTIONS; opt.max_connections = DFL_MAX_CONNECTIONS;
opt.session_reuse = DFL_SESSION_REUSE; opt.session_reuse = DFL_SESSION_REUSE;
opt.session_lifetime = DFL_SESSION_LIFETIME; opt.session_lifetime = DFL_SESSION_LIFETIME;
opt.force_cipher[0] = DFL_FORCE_CIPHER; opt.force_ciphersuite[0] = DFL_FORCE_CIPHER;
for( i = 1; i < argc; i++ ) for( i = 1; i < argc; i++ )
{ {
@ -520,44 +524,16 @@ int main( int argc, char *argv[] )
if( strcmp( p, "session_lifetime" ) == 0 ) if( strcmp( p, "session_lifetime" ) == 0 )
opt.session_lifetime = atoi( q ); opt.session_lifetime = atoi( q );
if( strcmp( p, "force_cipher" ) == 0 ) if( strcmp( p, "force_ciphersuite" ) == 0 )
{ {
opt.force_cipher[0] = -1; opt.force_ciphersuite[0] = -1;
if( strcmp( q, "ssl_rsa_rc4_128_md5" ) == 0 ) opt.force_ciphersuite[0] = ssl_get_ciphersuite_id( q );
opt.force_cipher[0] = SSL_RSA_RC4_128_MD5;
if( strcmp( q, "ssl_rsa_rc4_128_sha" ) == 0 ) if( opt.force_ciphersuite[0] <= 0 )
opt.force_cipher[0] = SSL_RSA_RC4_128_SHA;
if( strcmp( q, "ssl_rsa_des_168_sha" ) == 0 )
opt.force_cipher[0] = SSL_RSA_DES_168_SHA;
if( strcmp( q, "ssl_edh_rsa_des_168_sha" ) == 0 )
opt.force_cipher[0] = SSL_EDH_RSA_DES_168_SHA;
if( strcmp( q, "ssl_rsa_aes_128_sha" ) == 0 )
opt.force_cipher[0] = SSL_RSA_AES_128_SHA;
if( strcmp( q, "ssl_rsa_aes_256_sha" ) == 0 )
opt.force_cipher[0] = SSL_RSA_AES_256_SHA;
if( strcmp( q, "ssl_edh_rsa_aes_256_sha" ) == 0 )
opt.force_cipher[0] = SSL_EDH_RSA_AES_256_SHA;
if( strcmp( q, "ssl_rsa_camellia_128_sha" ) == 0 )
opt.force_cipher[0] = SSL_RSA_CAMELLIA_128_SHA;
if( strcmp( q, "ssl_rsa_camellia_256_sha" ) == 0 )
opt.force_cipher[0] = SSL_RSA_CAMELLIA_256_SHA;
if( strcmp( q, "ssl_edh_rsa_camellia_256_sha" ) == 0 )
opt.force_cipher[0] = SSL_EDH_RSA_CAMELLIA_256_SHA;
if( opt.force_cipher[0] < 0 )
goto usage; goto usage;
opt.force_cipher[1] = 0; opt.force_ciphersuite[1] = 0;
} }
} }

View File

@ -224,7 +224,7 @@ int main( int argc, char *argv[] )
ssl_set_bio( &ssl, net_recv, &server_fd, ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd ); net_send, &server_fd );
ssl_set_ciphers( &ssl, ssl_default_ciphers ); ssl_set_ciphersuites( &ssl, ssl_default_ciphersuites );
ssl_set_session( &ssl, 1, 600, &ssn ); ssl_set_session( &ssl, 1, 600, &ssn );
ssl_set_own_cert( &ssl, &clicert, &rsa ); ssl_set_own_cert( &ssl, &clicert, &rsa );